Home > Uncategorized > Flows? IDS? The bugs in the rug of NMS.

Flows? IDS? The bugs in the rug of NMS.

I’ve been focused primarily on network flows (using argus) and after having the data for weeks, reviewing the contents, I ended up sighing and saying “what am I supposed to do with all this lovely data?”

I’ve been too focused on the bug in the rug that is network flows, when I should have stepped back far enough to see the rug, actually seeing where network flows lay within a network security monitoring architecture. Duh!

I was in the midst of writing a laundry list of features included in a few IDS systems, focusing on creating an NSM, but after a short romp in the NSMwiki and sguil docs, I came across a sample chapter from Richard Bejtlich’s book The Tao of Network Security Monitoring: Beyond Intrusion Detection (which is in my amazon wishlist *cough*cough*) discussing sguil, formally titled “Why Sguil Is the Best Option for Network Security Monitoring Data“. It analyzes a variety of solutions and where they fit to solve problems presented.

Richard clearly focuses on why using Sguil is the best solution, and lists downfalls of several other applications that are used to cover similar things.

Richard also wrote up how to install the sguil TCL/TK client on a Windows box, and there is also an entry on the NSMwiki which makes sure you’re using the latest TLS module.

Note that the required ActiveTcl version, 8.4.X, is available on the main download page, just scroll down.

Did I waste time on argus? Nope, I gained a lot of knowledge and argus is commonly used to complement sguil to provide more context to alerts. I do still have my supreme goal of using d3js to render argus data, so keep an eye out.

And eight years late to the party… onward. Then squert.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: